metasploit

We’ve been tracking Metasploit commits since Matasano’s premature publication of [Dan Kaminsky]’s DNS cache poisoning flaw on Monday knowing full well that a functional exploit would be coming soon. Only two hours ago [HD Moore] and [I)ruid] added a module to the Metasploit Project that will let anyone test the vulnerability (with comment: “ZOMG. What is this? >:-)“). [HD] told Threat Level that it doesn’t work yet for domains that are already cached by the DNS server, but it will automatically wait for the cached entry to expire and then complete the attack. You can read more about the bailiwicked_host.rb module in CAU’s advisory. For a more detailed description of how the attack works, see this mirror of Matason’s post. You can check if the DNS server you are using is vulnerable by using the tool on [Dan]’s site.

You’ve no doubt heard that the site hosting Metasploit, the exploit framework, was hacked earlier this week, but what you may not have heard is that it was done using a layer 2 attack. Though Metasploit.com was not actually cracked, a server on the same VLAN was compromised and used to ARP poison the gateway. ARP poisoning is a method of sniffing data by sending a false ARP message to an Ethernet router to associate the hacker’s MAC address with a valid IP address from a genuine network node. From there the hackers were able to mount their MITM attack and show the image above instead of Metasploit’s website. This problem could have been avoided if the ISP was using fixed ARP entries, which is what [HD Moore] had to do to get the site back online. [Richard Bejtlich] points out that even though most people have been focusing on application security lately, fundamental attacks like this still happen. If you’re doing a good job protecting yourself, you can still be at the mercy of the security of 3rd parties when operating in shared hosting environments.

Not even a week ago we asked what we should do with our OLPC XO. InformIT’s [Seth Fogie] has written a great two part article that covers turning it into a hacker toolkit. Part one is an overview of the OLPC, how to upgrade it, and do some usability tweaks. Part two covers installing Nessus, Metasploit, and doing some wireless sniffing. We’ll be building our own little green monster based on this and let you know how it goes.